Newly published guidance reveals framework through which departments are asked to assess the risks posed by legacy technology systems and calculate which platforms should be ‘red rated’ for urgent remediation
The government’s framework for identifying the most urgent risks posed by legacy IT now includes consideration of waning knowledge of the technology’s operation and issues with downtime in the recent past.
Created and launched last year by the Central Digital and Data Office, government’s Legacy IT Risk Assessment Framework was developed to assess the dangers posed by ageing tech systems. The framework – which has now been published for the first time – sets out processes by which departments and agencies should assess technology platforms, and the equation for quantifying the level of risk.
The document first sets out a definition of legacy IT – one which is expanded somewhat from previous guidelines.
The new specifications set out seven “indicators” that a hardware or software platform is likely to be considered legacy:
- software out of support
- expired vendor contracts
- too few people with required knowledge and skills
- inability to meet current or future business needs
- unsuitable hardware
- known security vulnerabilities
- recent problems or downtime
The addition to government’s legacy tech criteria of an explicit consideration of the relevant people skills reflects a well-known difficulty of maintaining systems whose lifespan, in some cases, now exceed the length of some entire careers. Senior tech leaders have described instances where they have needed to “persuade people not to retire” in order to support the ongoing operation of a decades-old system whose other expert users have long since left.
Before the creation of the framework, government used a five-point checklist for defining legacy tech. This included systems that are considered to be: end-of-life products; out of supplier support; impossible to update; no longer cost-effective; above the acceptable risk threshold.
- Cabinet Office schemes target areas of ‘greatest exposure to legacy technology’
- Government CTO interview: ‘Technologists have a duty to explain tech – and have not always done a great job’
- GOV.UK One Login to cost £305m – and deliver £1.75bn benefits, report finds
Such risk thresholds can now be precisely calculated, via a process set out in the new framework.
Departmental teams are asked to assess tech systems and provide a “likelihood” score for each of the seven indicators – on a six-point scale where 6 is ‘certain’ and 1 is ‘very low’.
The assessment then requires the calculation of a mean score across all seven – and then for the difference to be split between this and the maximum score of six.
So, for example, an average score of 5.2 would be recorded as an overall likelihood score of 5.6 – the halfway point between the mean and the maximum.
Alongside the seven core indicators are six types of ‘impact’, respectively covering the potential affect on: national security; government’s reputation; finances and budgets; external stakeholders; operations; other technology systems.
In assessing a legacy system, departments are asked to assess the extent to which a failure of the system would have an impact in each of the six defined areas. The potential for impact should be ranked on a five-point scale where 5 is ‘very high’ and 1 is ‘very low’.
Once again, the assessment process then requires a mean score to be calculated from the cumulative score across the six areas – which is then averaged out again against the maximum score.
For example: a cumulative score of 24 would result in an average of 4 – and final rating of 4.5.
The arrive at a final risk score, the rating of likelihood should be multiplied by that of impact. In the examples cited above, this would mean a calculation of 5.6 x 4.5, resulting in a final score of 25.2.
The maximum possible is 30 – equating to six multiplied by five – and any systems that scores above 16 is automatically considered ‘red rated’.
“This indicates a nationally critical level of risk requiring immediate attention,” the guidance adds. “Systems with a ‘red-rated’ status represent the highest level of risk due to their combination of high likelihood and high impact. These systems should be prioritised for urgent modernisation, updates, or replacement. Lower-risk systems can be addressed in subsequent phases. Note that the assigned Likelihood and Impact levels can be plotted on a risk matrix to help visualise the relative risk levels for different systems within your estate.”
All ministerial departments are required to conduct annual organisation-wide assessments of legacy IT and submit the findings to a central register created by CDDO. The initial tranche of assessments completed that followed the launch of the framework resulted in 153 red-rated assets being logged on the registers as priorities for remediation.
Although executive agencies and other arm’s-length bodies are not mandated undertake yearly audits, they are “also encouraged to provide their assessments, as this creates a richer picture of legacy IT across the wider government”, while organisations throughout the wider public sector are advised that using the framework will support a “consistent and structured approach to managing legacy IT [and] will help [them] understand how their risks compare to other organisations”, according to the guidelines.
“Recognising the importance of modernisation and the need to keep pace with technological advancements, government departments are increasingly focused on addressing the issues posed by legacy IT”, the document added. “Initiatives are being undertaken to assess, prioritise, and upgrade or replace these outdated systems with more modern and efficient solutions. This transition not only enhances operational efficiency but also improves data security, user experience, and the ability to deliver public services effectively.”